MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e351e1c2fb176108dd78b2d2cb9bf677a70831abf232c11dd4b861228e9881b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e351e1c2fb176108dd78b2d2cb9bf677a70831abf232c11dd4b861228e9881b7
SHA3-384 hash: ba17c55cbb97b3660793f809a8dffbaaf96f167d1c97571dc357beb1d816ad0d64c35a26c331798b5c018433c02865fb
SHA1 hash: 6297a6c253b45f0da2081bb32353290a09032571
MD5 hash: cbf6eddcc128179bbec51e10a47b5f53
humanhash: berlin-berlin-cold-avocado
File name:cbf6eddcc128179bbec51e10a47b5f53.exe
Download: download sample
File size:2'115'072 bytes
First seen:2022-09-19 08:01:29 UTC
Last seen:2024-01-13 00:46:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 52a55fb51c40f0fd1f56d98fc22d67be (2 x ArkeiStealer)
ssdeep 24576:k6srXceyuNwmmQ/utbwkQ/TEOMfbYz413KX19GvoifmckhOQXeSMmXjSsnzcr+U0:ZMgPVgryjUBHcv5w
Threatray 4'978 similar samples on MalwareBazaar
TLSH T1DDA546BC6E005C9E90570AA758DC8174C1B0DD7D878AFBA31B70E87F496226F3F25A58
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cbf6eddcc128179bbec51e10a47b5f53.exe
Verdict:
Suspicious activity
Analysis date:
2022-09-19 08:03:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bf1677e8-b67a-4297-8d29-a2b3bf320f65

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311226/
Detection(s):
SecuriteInfo.com.Variant.Tedy.205554.6677.15269.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the Windows subdirectories
Running batch commands
Searching for the window
Creating a process from a recently created file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6328227f18e6e2d239dfad59/reports/3c1921ef-c25b-493f-8263-4c26d4fb776b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/56d3c99d-cc72-4ac4-b74b-69f0bb2af826
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1072781
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e351e1c2fb176108dd78b2d2cb9bf677a70831abf232c11dd4b861228e9881b7/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-09-18 18:38:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
23 of 25 (92.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ni6dqx3c5qqrxlywljmxg7wo6tqqmnl6izmchouxbqsfduyqg3q._file
Verdict:
malicious
Similar samples:
0bcccf1737d0879c490a4769bf80d80b33c9d0cc6fe014862f88411ae35d500d
16e65b3b00a358ad40b69c7f4700a589ba0a636caa15bb8720ee423afaf89125
338d6376434f33f3997d6a457d8dddd603697b7d8267fc7f306387d99d4dcb6c
3d131ee244187188c98d903cf951a764244daa1d16855ac5c923fd0173589ff5
6a42f7e5290bf7e40e1aa0c0e9ceda098a612d6dda9b7fa613e0c3a58b16b826
6c01253169adfbb36a7b2bcd1e284eee9a473a90e823c280927a2628fbaeba74
6c41e394f4f805b8583d8a23bdfaf0b3fac63b61c89ab002a809216e331f69f6
95c10db9f04556094feb692034a2ddc911b30cbe34c7e27df1d085f97f70afe3
bd02e85c9b1bd116494e9ecb2162f23c0f82173a989adbf7f8efb0317c85971d
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893
+ 4'968 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220919-jw468abddr/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Downloads MZ/PE file
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d9208018-3cc8-4097-8019-92336c35d433
Unpacked files
SH256 hash:
576b1d2fbba62763b98edbe8bf8b64366b2bc7445e907dee0e55bf6999c07cf4
MD5 hash:
75afae5b368435089953fa47f772c2b4
SHA1 hash:
d472f3127565b2801fd0a000fb2e9d6f84d0510c
Link:
https://www.unpac.me/results/2fcc13f9-6254-46b5-a225-3e228e764e8b/
SH256 hash:
e351e1c2fb176108dd78b2d2cb9bf677a70831abf232c11dd4b861228e9881b7
MD5 hash:
cbf6eddcc128179bbec51e10a47b5f53
SHA1 hash:
6297a6c253b45f0da2081bb32353290a09032571
Link:
https://www.unpac.me/results/2fcc13f9-6254-46b5-a225-3e228e764e8b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e351e1c2fb176108dd78b2d2cb9bf677a70831abf232c11dd4b861228e9881b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:RansomwareTest3
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe e351e1c2fb176108dd78b2d2cb9bf677a70831abf232c11dd4b861228e9881b7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2307359/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/311226/

Comments